Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2013-3263

Publication date:

05/11/2013

Multiple cross-site scripting (XSS) vulnerabilities in the WP Ultimate Email Marketer plugin 1.1.0 and possibly earlier for Wordpress allow remote attackers to inject arbitrary web script or HTML via the (1) siteurl parameter to campaign/campaignone.php; the (2) action, (3) campaignname, (4) campaignformat, or (5) emailtemplate parameter to campaign/campaigntwo.php; the (6) listid parameter to list/edit.php; the (7) campaignid or (8) siteurl parameter to campaign/editcampaign.php; the (9) campaignid parameter to campaign/selectlistb4send.php; the (10) campaignid, (11) campaignname, (12) campaignsubject, or (13) selectedcampaigns parameter to campaign/sendCampaign.php; or the (14) campaignid, (15) campaignname, (16) campaignformat, or (17) action parameter to campaign/updatecampaign.php.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-6077

Publication date:

05/11/2013

Citrix XenDesktop 7.0, when upgraded from XenDesktop 5.x, does not properly enforce policy rule permissions, which allows remote attackers to bypass intended restrictions.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-5670

Publication date:

05/11/2013

Cross-site scripting (XSS) vulnerability in spell-check-savedicts.php in the htmlarea SpellChecker module, as used in Serendipity before 1.7.3 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the to_r_list parameter.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-6617

Publication date:

05/11/2013

The salt master in Salt (aka SaltStack) 0.11.0 through 0.17.0 does not properly drop group privileges, which makes it easier for remote attackers to gain privileges.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-6172

Publication date:

05/11/2013

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-4439

Publication date:

05/11/2013

Salt (aka SaltStack) before 0.15.0 through 0.17.0 allows remote authenticated minions to impersonate arbitrary minions via a crafted minion with a valid key.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-4438

Publication date:

05/11/2013

Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-4437

Publication date:

05/11/2013

Unspecified vulnerability in salt-ssh in Salt (aka SaltStack) 0.17.0 has unspecified impact and vectors related to "insecure Usage of /tmp."

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-4436

Publication date:

05/11/2013

The default configuration for salt-ssh in Salt (aka SaltStack) 0.17.0 does not validate the SSH host key of requests, which allows remote attackers to have unspecified impact via a man-in-the-middle (MITM) attack.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-4435

Publication date:

05/11/2013

Salt (aka SaltStack) 0.15.0 through 0.17.0 allows remote authenticated users who are using external authentication or client ACL to execute restricted routines by embedding the routine in another routine.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2011-5267

Publication date:

05/11/2013

Multiple cross-site scripting (XSS) vulnerabilities in spell-check-savedicts.php in the SpellChecker module in Xinha, as used in WikiWig 5.01 and possibly other products, allow remote attackers to inject arbitrary web script or HTML via the (1) to_p_dict or (2) to_r_list parameter. NOTE: this issue might be related to the htmlarea plugin and CVE-2013-5670.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

CVE-2013-6366

Publication date:

04/11/2013

The Groovy script console in VMware Hyperic HQ 4.6.6 allows remote authenticated administrators to execute arbitrary code via a Runtime.getRuntime().exec call.

Severity CVSS v4.0: Pending analysis

Last modification:

11/04/2025

Subscribe to Vulnerabilities